Every time an AI needs to push code to GitHub, the standard advice is: paste your PAT into a config file or hand it to the AI in your prompt. Both approaches leave the token exposed - in your chat history, in a dotfile checked into the repo, or logged somewhere you cannot audit.
Keepra's GitHub MCP tools take a different approach. The AI never sees your token. It sends only a vault item ID to the tool, Keepra fetches the PAT from your encrypted vault server-side, uses it for exactly one git operation, and strips it from every line of output before sending anything back.
vault_item_id: "mqs4s1lhaexe" - a random string that means nothing without Keepra running. The PAT itself stays inside the vault, AES-256 encrypted, the entire time.
The four GitHub MCP tools
| Tool | What it does | Triggers CI? |
|---|---|---|
github_push_branch | Push a local branch to a remote branch | Only if CI watches that branch |
github_create_tag | Create an annotated tag and push it | Yes, on v* tags |
github_check_ci | Poll the latest workflow run status | - |
github_release_upload | Upload a file asset to a GitHub release | - |
What you need
- Keepra desktop app running (Windows; macOS/Linux coming). Download here.
- A GitHub account with at least one repository.
- An MCP-compatible AI client already connected to Keepra. If you have not done that step yet, start with Connect Your AI to Keepra with MCP first.
Step 1: Create a fine-grained GitHub PAT
Go to github.com → Settings → Developer settings → Personal access tokens → Fine-grained tokens → Generate new token.
The exact permissions depend on your repository. Here is the minimum set:
| Permission | Level needed | Why |
|---|---|---|
| Metadata | Read (auto-selected) | Required by GitHub, cannot be removed |
| Contents | Read & Write | Required for git push / tag creation |
| Workflows | Read & Write | Required if your repo has .github/workflows/ files |
| Actions | Read (optional) | Needed only for github_check_ci |
.github/workflows/*.yml file, GitHub blocks the push with a 403 even when Contents:Write is set. You need both.
For Repository access, either select your specific repository or choose All repositories. Fine-grained PATs scoped to a specific repo will fail with a 403 if you later try to push to a different one.
After creating the token, copy it immediately - GitHub shows it only once.
Step 2: Store the token in Keepra vault
Open Keepra, go to Vault, and click + Add. Choose type Token / API Key. Fill in:
- Title - something clear, e.g. "GitHub - keepra repo"
- Service - "github.com"
- Access Token - paste the PAT you just copied
Save it. The value is encrypted with AES-256-GCM before being stored. Even if someone reads your localStorage, they cannot recover the token without your Keepra Secret Key.
Step 3: Grant your MCP key access to the vault item
Go to MCP Connector in the sidebar. Find the key your AI client uses and click Edit (pencil icon). Scroll down to Vault Items and tick the GitHub token item you just created. Save the key.
Step 4: Use the GitHub MCP tools
With Keepra running and the vault item granted, you can now ask your AI to push. The AI needs to know two things: the vault item ID (visible in the MCP Connector vault item list as a short code like mqs4s1lhaexe) and the repo path on your disk.
Example prompts that work:
"Push the master branch to the source branch on GitHub.
Vault item for the GitHub token: mqs4s1lhaexe
Repo path: D:\Projects\myapp""Create and push a git tag v2.1.0 to trigger the CI build.
Use vault item mqs4s1lhaexe for the GitHub token."The MCP tool call your AI makes looks like this - note that the actual PAT is not present anywhere:
github_push_branch({
vault_item_id: "mqs4s1lhaexe", // just an ID, not the token
repo_path: "D:\\Projects\\myapp",
local_branch: "master",
remote_branch: "source"
})How Keepra keeps the token hidden
Here is exactly what happens inside Keepra when the MCP tool runs:
- Keepra receives the tool call with
vault_item_id. - It calls
KeepraBridge.get_credential(vault_item_id)in the renderer process - the same path used by run_command. This fetches the decrypted PAT from the vault into memory only, never to disk. - For a push: the token is embedded in the git remote URL (
https://x-access-token:TOKEN@github.com/...) in a temporary variable. Thegit pushruns. In thefinally{}block, the remote URL is restored to its clean form, whether the push succeeded or failed. - For API calls (tag creation, CI check, release upload): the token goes into an
Authorization: Bearerheader only, never in URLs or request bodies. - Before returning anything to the AI,
_redactSecrets()scans every line of stdout and stderr and replaces any occurrence of the token with[REDACTED].
The result: the audit log records what operation ran and who called it, but never the token value. Your AI client sees a success message. Your git remote is clean.
Full request flow
Common issues and fixes
403: Permission denied, even with Contents:Write set
Your repo almost certainly has a .github/workflows/ directory. GitHub treats workflow files as a protected resource and requires Workflows: Read & Write on the PAT, even if you are not modifying those files in the push. Add the Workflows permission, regenerate the token, and update the vault item.
403: Repository not found
Your fine-grained PAT was scoped to a specific repository list that does not include the target repo. Either add the repo to the token's repository access list, or switch the token to All repositories.
401: Invalid username or token
The PAT has expired or was regenerated (editing fine-grained token permissions invalidates the old token and issues a new one). Update the Access Token field in the Keepra vault item with the new value.
MCP tool blocked by the AI client's classifier
Some AI clients (including Claude Code in auto mode) have a classifier that blocks certain operations. For Claude Code, add mcp__keepra__github_push_branch and mcp__keepra__github_create_tag to the allow list in .claude/settings.local.json:
{
"permissions": {
"allow": [
"mcp__keepra__github_push_branch",
"mcp__keepra__github_create_tag",
"mcp__keepra__github_check_ci",
"mcp__keepra__github_release_upload"
]
}
}Frequently asked questions
Does Keepra need to be running?
Yes. The MCP bridge (keepra-mcp.js) communicates with the Keepra desktop app over localhost:47615. If Keepra is not running, tool calls return a 503 error. The app does not need to be in the foreground, just open.
Is the token ever written to disk?
No. The token is decrypted from the vault into memory only. The git remote URL is modified in-process and restored in a finally{} block. Nothing is written to .git/config or any temporary file.
Can I use a classic PAT instead of a fine-grained one?
Yes. Classic PATs with the repo scope (and workflow if you have workflow files) work fine. Fine-grained PATs are recommended because they limit the blast radius to specific repositories.
Can multiple AI clients share the same vault item?
Yes. Each MCP key has its own scope settings. You can grant the same vault item to keys for Claude, Cursor, and ChatGPT independently. Revoke one key without affecting the others.
Where is the audit log?
Keepra logs every MCP tool call in the audit log (Settings > AI Access > Audit Log). Each entry shows the operation type, the key that called it, and the timestamp. The token value is never logged.
Ready to give your AI safe GitHub access?
Download Keepra, store your GitHub PAT in the vault, and push from Claude or Cursor in under 5 minutes.